Skip to content

Commit

Permalink
Scorecard: Delcare default permissions as read only except CodeQL.
Browse files Browse the repository at this point in the history
  • Loading branch information
winlinvip committed Jan 10, 2023
1 parent d340856 commit 4ae67f1
Show file tree
Hide file tree
Showing 4 changed files with 16 additions and 1 deletion.
3 changes: 3 additions & 0 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ name: "CodeQL"
# @see https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#onpushpull_requestbranchestags
on: [push, pull_request]

# See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions: write-all

jobs:
analyze:
name: actions-codeql-analyze
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ on:
tags:
- v6*

# Declare default permissions as read only.
permissions: read-all

jobs:
envs:
name: envs
Expand Down
8 changes: 7 additions & 1 deletion .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
# by a third-party and are governed by separate terms of service, privacy
# policy, and support documentation.

name: Scorecard supply-chain security
name: Scorecard

on:
# For Branch-Protection check. Only the default branch is supported. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
Expand Down Expand Up @@ -70,3 +71,8 @@ jobs:
uses: github/codeql-action/upload-sarif@807578363a7869ca324a79039e6db9c843e0e100 # v2.1.27
with:
sarif_file: results.sarif

# Delete the SARIF file.
- uses: geekyeggo/delete-artifact@v2
with:
name: SARIF file
3 changes: 3 additions & 0 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ name: "Test"
# @see https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#onpushpull_requestbranchestags
on: [push, pull_request]

# Declare default permissions as read only.
permissions: read-all

# The dependency graph:
# test(6m)
# multiple-arch-armv7(13m)
Expand Down

0 comments on commit 4ae67f1

Please sign in to comment.